Found my problem, added rules to the NAT's PREROUTING chain were able to block traffics to my local network, but still allow for all ports to the internet. Took a while to read the iptables manpage and read the INPUT, FORWARD, OUTPUT and NAT chain document.
Thanks for the comment and help. On 10/14/07, Eric Hattemer <[EMAIL PROTECTED]> wrote: > Eric Hattemer wrote: > > Whoever Whatever wrote: > > > >> Hi, > >> when I have a linux box with two NICs, one $EXTIF (external) and > >> one $INTIF (subnet=192.168.176.0/20). With ip masq turn on: > >> iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > >> > >> how do I block $INTIF(192.168.176/20) from accessing ports(ie: 80) on > >> the linux box(192.168.176.1), but still allow port 80 access using ip > >> masq to the outside world? > >> > >> I tried the filters below, but I still can access port 80 after > >> applying the rules: > >> iptables -A INPUT -i $INTIF -p tcp -m tcp --dport 80 --syn -j DROP > >> iptables -A FORWARD -i $INTIF -p tcp -m tcp --dport 80 --syn -j DROP > >> iptables -A INPUT -p tcp -s 192.168.176.0/20 -d 192.168.176.1 --dport 80 > >> -j DROP > >> > >> anyone know if it's possible? > >> > >> > > > > I don't know any iptables, because I've never had to. Maybe someone on > > the list will answer your question, but in the meantime, I strongly > > suggest a program called fwbuilder. You drag your rules around, and > > when you're done, you can auto-generate scripts for every major > > routing/firewall language you can think of. > > > But if you do have a pretty good idea of what you're doing and want to > debug it, Phil Dibowitz wrote a nice program called IPTState at > http://www.phildev.net/iptstate/ that shows you what iptables is up to > in realtime. It's of wide enough acclaim that you can probably find it > in your local package management tool. > > -Eric Hattemer > > _______________________________________________ > [email protected] mailing list > http://lists.hosef.org/cgi-bin/mailman/listinfo/luau > _______________________________________________ [email protected] mailing list http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
